ICASI | CONFIDENTIAL© ICASI 2010
The Common Vulnerability Reporting Framework(CVRF)
Presented by Jim Duncan, Juniper SIRT
FIRST Conference 2010, Miami FL USA
2010 June 15
Agenda
• What is CVRF?
• Why CVRF?
• Who built CVRF and how?
• What’s the value of CVRF?
• What’s the timeline?
• Which member companies will adopt CVRF?
• Q&A
2ICASI | CONFIDENTIAL© ICASI 2010
What is CVRF?
• CVRF = the Common Vulnerability Reporting Framework
• XML-based language
• Provides a standard format for the dissemination of security-relatedinformation
• 48 Discrete Elements
• XML machine readable easier production and consumption
3ICASI | CONFIDENTIAL© ICASI 2010
CVRF Roles
4ICASI | CONFIDENTIAL© ICASI 2010
CVRF Roles: Document Producer
5ICASI | CONFIDENTIAL© ICASI 2010
CVRF Roles: Document Consumer
6ICASI | CONFIDENTIAL© ICASI 2010
7ICASI | CONFIDENTIAL© ICASI 2010
Why CVRF?
• No existing standard in this unique vulnerability reporting space
• Others are ad hoc, producer-specific
8ICASI | CONFIDENTIAL© ICASI 2010
Document Producer Reports at a Glance
9ICASI | CONFIDENTIAL© ICASI 2010
CiscoSummary Text blobAffected Products ContainerVulnerable Products List of text blobsProducts Confirmed Not Vulnerable Bulleted listDetails Text blobVulnerability Scoring Details Text blobImpact Text blobSoftware Versions and Fixes TableWorkarounds Text blobObtaining Fixed Software Text blobExploitation and Public Announcements Text blobStatus of this Notice Text blobDistribution Text blobRevision History TableCisco Security Procedures Text blob
MicrosoftGeneral Information ContainerExecutive Summary Text blobAffected and Non-Affected Software ContainerAffected Software TableNon-Affected Software TableFAQ Text blobVulnerability Information ContainerSeverity Ratings and Vulnerability Identifiers Table0 or more vulnerabilities sorted by CVE ContainerVulnerability Description Text blobUpdate Information ContainerDetection and Deployment Tools Guidance Text blobSecurity Update Deployment Text blobOther Information ContainerAcknowledgements Text blobMicrosoft Active Protections Program Text blobSupport Text blobDisclaimer Text blobRevisions Bulleted list
Document Producer Reports at a Glance, cont’d
10ICASI | CONFIDENTIAL© ICASI 2010
CERTTarget Bulleted listAccess Vector Bulleted listImpact Bulleted listRemediation Bulleted listDetails Text blogImpact Text blogSeverity Text blogVulnerability Coordination Information Text blogVendor Information Bulleted listRemediation Text blogReferences Bulleted listContact Information Text blogRevision History Bulleted list
SecuniaSecunia Advisory StringRelease Date DateLast Update DatePopularity IntegerComments Text blobCriticality Level EnumImpact EnumWhere EnumAuthentication Level Text blobReport Reliability Text blobSolution Status Text blobSystems Affected Text blobApprove Distribution Text blobAutomated Scanning Text blobOperating System Bulleted listSecunia CVSS Score Text blobCVE References Bulleted listDescription Text blobSolution Text blobProvided and/or Discovered by Text blobChangelog Text blobOriginal Advisory Text blobOther References Text blobAlternate/Detailed Remediation Text blobDeep links Text blob
Who’s involved?
• Internet Consortium for Advancement of Security on the Internet(ICASI)
• Formed in 2008 to address international, multi-product securitychallenges
• Non-profit, vendor agnostic
• ICASI members include Cisco, IBM, Intel, Juniper, Microsoft, and Nokia
• Non-ICASI member contributors include Oracle and Red Hat
11ICASI | CONFIDENTIAL© ICASI 2010
12ICASI | CONFIDENTIAL© ICASI 2010
How was CVRFbuilt?
What is the Value of CVRF?
• CVRF is a response by industry to customer demand
• Customers are looking for a simple automated way to absorb security-related information
• Vendors are looking for an easily produced capacity to enable machinereadable generation of security documentation using current methodology
• CVRF is delivering the capacity to enable the assimilation of disparatesecurity-related data-sets via a standard format
13ICASI | CONFIDENTIAL© ICASI 2010
Timeline
• 2008 • Issue proposed as a goal for ICASI• CVRF work group formed
• 2009• Investigation and gap analysis• Gathered reports from vendors and CERTs• Comparison with surveys• Draft problem statement and use cases• Design common Framework
• 2010• Define standard• Develop dictionary, schema and sample style sheets• Test internal to working group• Conduct Peer review• Incorporate peer review comments
• Late 2011 • Implementation
14ICASI | CONFIDENTIAL© ICASI 2010
Company Adoption
15ICASI | CONFIDENTIAL© ICASI 2010
Company Plans Role Timeline
Cisco evaluating producer 2011
IBM limited support producer/consumer 2011/12
Intel limited support producer/consumer 2011
Juniper limited support producer/consumer 2011/12
Microsoft support producer 2011
Nokia evaluating producer 2011
Oracle evaluating producer/consumer 2011/12
Red Hat support producer 2010
The “ask”:
• Well qualified organizations for Peer review
• Would your organization use an industry proposed framework to accomplish the purpose outlined here?
• Please email [email protected] to request participation
• Other comments or questions?
16ICASI | CONFIDENTIAL© ICASI 2010